The value of industry collaboration is clear. By bringing together stakeholders from all areas of IoT, we are creating cross industry frameworks and standards that equip IoT manufacturers with unified tools to address these fundamental security requirements, and more quickly and cost effectively bring solutions to market.
By nature, IoT is fragmented, which creates complexity when developing a unified approach to security. The variety of different use cases and business models throughout the ecosystem presents challenges, both from an implementation and a standardization perspective. Some IoT markets will require higher levels of security than others. What is most important is that there is a unified approach toward understanding these varied requirements.
Business leaders looking to implement security into their IoT devices should start with three basic principles, which will offer a secure foundation upon which devices can be protected. First, they must consider if their products are secure by design. This can be achieved through the use of embedded secure components and optimized APIs that are built based on industry-wide standards.
The second consideration is privacy by design. This is a simple concept by which enterprises should only record and store data that is absolutely necessary for a product’s function. By doing this, businesses minimize the databases that can be targeted for attacks. Finally, security governance should be considered by business leaders. In the knowledge that IoT devices will be created by various providers, all stakeholders throughout the manufacturing process must work together to ensure that updates are received and deployed within their environment to ensure security through a product’s service life.
The best way for device manufacturers to demonstrate that their products are secure is to evaluate and certify them. This process involves security laboratories and certification bodies, as well as testing and validating the functions and security features of products to determine if they meet a required market standard. Yet, as previously mentioned, the regulatory landscape is fragmented. Numerous industries harbor different challenges and have varying requirements. Not all will approach security testing and evaluation in the same way.
Certification is critical to ensuring trustworthy solutions are deployed. However, evaluation needs to happen in a uniform way to ensure consistency and avoid even more complexity. This is where the SESIP methodology plays a role.
The SESIP methodology focuses on the main features and functionalities of IoT devices. That is the underlying parts and components that make them up. It allows the various secure parts of an IoT device to be certified, either together or separately, which makes it easier and cheaper to achieve an overall device certification. The pool of manufacturers that develop IoT parts is substantially smaller than the pool that develops connected devices, meaning parts that have been certified for one particular use case could be used in a device to support another in a different sector.
SESIP dramatically simplifies security for device makers, certification bodies and testing labs by clearly defining the levels of assurance required for multiple market-specific schemes to achieve scalability for manufacturers. Once a manufacturer has certified a component, that same component can be used to secure multiple different products. This shortens the process for device makers and reduces costs of go-to-market plans, all the while offering assurances that devices have a set baseline level of security compliant with industry standards.
While IoTopia and SESIP are responding to the evolving needs of the IoT ecosystem, the overarching premise is collaboration. The ‘certification by parts’ approach of SESIP can only work by bringing together various bodies for the benefit of IoT as a whole. Similarly, IoTopia is built upon industry collaboration between the various IoT verticals.
Only by bringing together all stakeholders to identify vulnerabilities, define requirements and develop standardized approaches, can we ensure security happens in a unified and trusted way.
GlobalPlatform is already collaborating with major technology players and other industry bodies, such as RISC-V, to accelerate the development of standards for building, deploying and managing secure IoT solutions.